begin with hardening, tweaking

docker/tanner/docker-compose.yml

@@ -14,6 +14,7 @@ services:
     networks:
      - tanner_local
     image: "dtagdevsec/redis:1804"
+    read_only: true
 
 # PHP Sandbox service
   tanner_phpox:
@@ -25,6 +26,7 @@ services:
     networks:
      - tanner_local
     image: "dtagdevsec/phpox:1804"
+    read_only: true
 
 # Tanner API Service
   tanner_api:
@@ -32,10 +34,15 @@ services:
     container_name: tanner_api
     restart: always
     stop_signal: SIGKILL
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
     tty: true
     networks:
      - tanner_local
     image: "dtagdevsec/tanner:1804"
+    read_only: true
+    volumes:
+     - /data/tanner/log:/var/log/tanner
     command: tannerapi 
     depends_on:
      - tanner_redis
@@ -46,11 +53,16 @@ services:
     container_name: tanner_web
     restart: always
     stop_signal: SIGKILL
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
     tty: true
     networks:
      - tanner_local
     image: "dtagdevsec/tanner:1804"
     command: tannerweb
+    read_only: true
+    volumes:
+     - /data/tanner/log:/var/log/tanner
     depends_on:
      - tanner_redis
 
@@ -60,11 +72,16 @@ services:
     container_name: tanner
     restart: always
     stop_signal: SIGKILL
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
     tty: true
     networks:
      - tanner_local
     image: "dtagdevsec/tanner:1804"
     command: tanner
+    read_only: true
+    volumes:
+     - /data/tanner/log:/var/log/tanner
     depends_on:
      - tanner_api
      - tanner_web

docker/tanner/phpox/Dockerfile

@@ -17,9 +17,8 @@ RUN apk -U --no-cache add \
     pip3 install --no-cache-dir --upgrade pip && \
 
 # Install bfr sandbox from git
-    git clone https://github.com/mushorg/BFR /opt/BFR && \
+    git clone --depth=1 https://github.com/mushorg/BFR /opt/BFR && \
     cd /opt/BFR && \
-    git checkout 508729202428a35bcc6bb27dd97b831f7e5009b5 && \
     phpize7 && \
     ./configure \
       --with-php-config=/usr/bin/php-config7 \
@@ -31,7 +30,7 @@ RUN apk -U --no-cache add \
     echo "zend_extension = "$(find /usr -name bfr.so) >> /etc/php7/php.ini && \
 
 # Install PHP Sandbox
-    git clone https://github.com/mushorg/phpox /opt/phpox && \
+    git clone --depth=1 https://github.com/mushorg/phpox /opt/phpox && \
     cd /opt/phpox && \
     cp /root/dist/sandbox.py . && \
     pip3 install -r requirements.txt && \
@@ -46,5 +45,6 @@ RUN apk -U --no-cache add \
     rm -rf /var/cache/apk/*
 
 # Set workdir and start phpsandbox
+USER nobody:nobody
 WORKDIR /opt/phpox
-CMD python3.6 sandbox.py
+CMD ["python3.6", "sandbox.py"]

docker/tanner/phpox/docker-compose.yml

@@ -1,17 +0,0 @@
-version: '2.3'
-
-networks:
-  phpox_local:
-
-services:
-
-# PHP Sandbox service
-  phpox:
-    build: .
-    container_name: phpox
-    restart: always
-    stop_signal: SIGKILL
-    tty: true
-    networks:
-     - phpox_local
-    image: "dtagdevsec/phpox:1804"

docker/tanner/redis/Dockerfile

@@ -4,8 +4,7 @@ FROM redis:alpine
 ADD dist/ /root/dist/
 
 # Setup apt
-RUN apk -U --no-cache add \
-               redis && \ 
+RUN apk -U --no-cache add redis && \ 
 
     cp /root/dist/redis.conf /etc && \
 
@@ -15,4 +14,5 @@ RUN apk -U --no-cache add \
     rm -rf /var/cache/apk/*
 
 # Start conpot
+USER nobody:nobody
 CMD redis-server /etc/redis.conf

docker/tanner/snare/Dockerfile

@@ -1,30 +1,20 @@
 FROM alpine
 
-# Include dist
-#ADD dist/ /root/dist/
-
 # Setup apt
 RUN apk -U --no-cache add \
                build-base \
                git \
-               libcap \
                linux-headers \
                python3 \
                python3-dev && \ 
 
-# Setup ConPot
-    git clone https://github.com/mushorg/snare /opt/snare && \
+# Setup Snare 
+    git clone --depth=1 https://github.com/mushorg/snare /opt/snare && \
     cd /opt/snare/ && \
     pip3 install --no-cache-dir --upgrade pip setuptools && \
     pip3 install --no-cache-dir -r requirements.txt && \
     python3.6 clone.py --target http://example.com && \
-    cd / && \
-    #setcap cap_net_bind_service=+ep /usr/bin/python3.6 && \
     
-# Get wireshark manuf db for scapy, setup configs, user, groups
-    addgroup -g 2000 snare && \
-    adduser -S -s /bin/ash -u 2000 -D -g 2000 snare && \
-
 # Clean up
     apk del --purge \
             build-base \

docker/tanner/snare/docker-compose.yml

@@ -1,19 +0,0 @@
-version: '2.3'
-
-networks:
-  snare_local:
-
-services:
-
-# Snare service
-  snare:
-    build: .
-    container_name: snare
-    restart: always
-    stop_signal: SIGKILL
-    tty: true
-    networks:
-     - snare_local
-    ports:
-     - "80:80"
-    image: "dtagdevsec/snare:1804"

docker/tanner/tanner/Dockerfile

@@ -13,8 +13,8 @@ RUN apk -U --no-cache add \
                python3 \
                python3-dev && \ 
 
-# Setup ConPot
-    git clone https://github.com/mushorg/tanner /opt/tanner && \
+# Setup Tanner
+    git clone --depth=1 https://github.com/mushorg/tanner /opt/tanner && \
     cp /root/dist/config.py /opt/tanner/tanner/ && \
     cp /root/dist/requirements.txt /opt/tanner/ && \
     cd /opt/tanner/ && \
@@ -23,9 +23,11 @@ RUN apk -U --no-cache add \
     python3 setup.py install && \
     cd / && \
     
-# Get wireshark manuf db for scapy, setup configs, user, groups
+# Setup configs, user, groups
     addgroup -g 2000 tanner && \
     adduser -S -s /bin/ash -u 2000 -D -g 2000 tanner && \
+    mkdir /var/log/tanner && \
+    chown -R tanner:tanner /opt/tanner /var/log/tanner && \
 
 # Clean up
     apk del --purge \
@@ -37,5 +39,6 @@ RUN apk -U --no-cache add \
     rm -rf /var/cache/apk/*
 
 # Start conpot
+USER tanner:tanner
 WORKDIR /opt/tanner
 CMD tanner 

docker/tanner/tanner/dist/config.py

@@ -18,11 +18,11 @@ config_template = {'DATA': {'db_config': '/opt/tanner/db/db_config.json', 'dorks
                    'SQLI': {'type': 'SQLITE', 'db_name': 'tanner_db', 'host': 'localhost', 'user': 'root',
                             'password': 'user_pass'},
                    'DOCKER': {'host_image': 'busybox:latest'},
-                   'LOGGER': {'log_debug': '/opt/tanner/tanner.log', 'log_err': '/opt/tanner/tanner.err'},
+                   'LOGGER': {'log_debug': '/tmp/tanner/tanner.log', 'log_err': '/tmp/tanner/tanner.err'},
                    'MONGO': {'enabled': False, 'URI': 'mongodb://localhost'},
                    'HPFEEDS': {'enabled': False, 'HOST': 'localhost', 'PORT': 10000, 'IDENT': '', 'SECRET': '',
                                'CHANNEL': 'tanner.events'},
-                   'LOCALLOG': {'enabled': True, 'PATH': '/tmp/tanner_report.json'},
+                   'LOCALLOG': {'enabled': True, 'PATH': '/var/log/tanner/tanner_report.json'},
                    'CLEANLOG': {'enabled': False}
                    }
 

docker/tanner/tanner/docker-compose.yml

@@ -1,59 +0,0 @@
-version: '2.3'
-
-networks:
-  tanner_local:
-
-services:
-
-# Tanner Redis Service
-  tanner_redis:
-    container_name: tanner_redis
-    restart: always
-    stop_signal: SIGKILL
-    tty: true
-    networks:
-     - tanner_local
-    image: "dtagdevsec/redis:1804"
-
-# Tanner API Service
-  tanner_api:
-    build: .
-    container_name: tanner_api
-    restart: always
-    stop_signal: SIGKILL
-    tty: true
-    networks:
-     - tanner_local
-    image: "dtagdevsec/tanner:1804"
-    command: tannerapi 
-    depends_on:
-     - redis
-
-# Tanner WEB Service
-  tanner_web:
-    build: .
-    container_name: tanner_web
-    restart: always
-    stop_signal: SIGKILL
-    tty: true
-    networks:
-     - tanner_local
-    image: "dtagdevsec/tanner:1804"
-    command: tannerweb
-    depends_on:
-     - redis
-
-# Tanner Service
-  tanner:
-    build: .
-    container_name: tanner
-    restart: always
-    stop_signal: SIGKILL
-    tty: true
-    networks:
-     - tanner_local
-    image: "dtagdevsec/tanner:1804"
-    command: tanner
-    depends_on:
-     - tanner_api
-     - tanner_web